Big Pharma: the New Hustler

That’s the provocative thesis of Jane’s post over at Balkinization for the conference Public Health in the Shadow of the First Amendment. Worth a read! And here’s her second post.

The Cambridge University Press decision and Educational Fair Use

The Eleventh Circuit released its 129-page opinion in Cambridge University Press v. Patton (which most of us probably still think of as the Becker case) last Friday. Although the appeals court reversed what I thought was a pretty solid opinion of the district court upholding Georgia State University’s practice of distributing digital “course packs” of reading materials to its students, it is very far from a big win for the publishers who challenged the practice. There is a lot to like in the opinion for advocates of educational fair use, and it is difficult to imagine that the district court on remand will rule in favor of the publisher plaintiffs with respect to very many of the works at issue even though the appeals court directed changes in some aspects of its fair use analysis. Although it found some errors in the district court’s treatment of the second and third fair use factors, the appeals court sensibly and correctly rejected several arguments that would have materially constricted the scope of educational fair use in the digital arena. (Full disclosure: I joined Jason Schultz’s excellent amicus brief on behalf of Georgia State.)

Although the Court of Appeals’ opinion deserves a close look, I’ll confine myself here just to noting a few highlights. Read more…

Celebrities, Copyright, and Cybersecurity

The fall began with a wave of hacked nude celebrity photos (as Tim notes in his great post). The release generated attention to the larger problem of revenge porn – or, more broadly, the non-consensual sharing of intimate media. Legislators and scholars have moved to tackle the problem. Danielle Citron proposes a model statute for criminalizing revenge porn in a Slate article (excerpted from her new book), and California finally got around to dealing with the random selfie-only coverage of its law.

I’ve written an article that proposes using copyright law to address non-consensual sharing (but see Rebecca Tushnet’s critique). It’s worth noting that Reddit took down the illicit celebrity images after receiving a copyright claim – which sites have to respect, on pain of getting sued into oblivion (since Section 230‘s immunity doesn’t apply to IP claims). Apparently others have the same idea – one attorney is threatening Google with a $100M lawsuit for failure, in his view, to comply with the DMCA’s takedown requirements. (The letter bloviates and any suit has as much chance of winning as this plaintiff did.) The revenge porn contretemps raises at least four issues:

1. Everyone does it - The sharing of intimate media (videos and images of people nude or engaged in sexual activity) is ubiquitous. Jennifer Lawrence, Kate Upton, Kirsten Dunst – somehow, it took leaks of celebrity intimate media to drive home this point. This has two helpful consequences (one hopes). First, “just say no” should go the way of Nancy Reagan’s campaign, since it had about the same efficacy. Partners sharing intimate media is the new normal, and it’s foolish to pretend otherwise. Second, the moral critique attached to the practice should fade. One common response to revenge porn is “He/she took the risk, so too bad.” That approach focuses culpability on the victim, not the offender. The risk is not in using intimate media – it’s in trusting the wrong person. Most of us have done that at some point.

2. Stupid is as stupid does - Regulating revenge porn properly matters. Here in Arizona, it’s only a matter of time before the state’s terribly-drafted revenge porn bill is enjoined by a federal judge. (The ACLU is suing to block the bill, along with a coalition of bookstores, journalists, and others.) I, along with many others, pointed out that the bill was fatally flawed the moment it passed. This means that victims in Arizona are going to be without protection because their legislators failed them – and that all of us Arizonans are going to fund the state’s defense of a statute that is without hope. The Arizona legislature could have gotten it right – my understanding is that they consulted law professor and revenge porn expert Mary Anne Franks during the drafting – but they whiffed: the drafters apparently ignored Prof. Franks’s good advice. (It’s not as though she drafted a model statute they could have used.) So too with Texas, where the legislature messed up a statute that is arguably underinclusive. So too California, although the Golden State just fixed its law. The lesson is simple: legislators should take their time, get diverse input, and ask the experts.

3. Changing norms - One interesting and hopeful development with the celebrity revenge porn hack is a new wave of calls for people not to look at the pictures. Those calls aren’t likely to be highly effective; there are plenty of people all too eager to see Jennifer Lawrence nude. But this could herald a shift towards disapprobation not only to leaking intimate media, but to viewing it if it’s shared without consent. Norms are powerful regulators, and this change would mark a useful riposte to the gleeful distribution of revenge porn.

4. Everyone needs cybersecurity - It appears that the celebrity photos were obtained through a combination of guessing security questions on Apple’s iCloud service and, perhaps, social engineering. Early reports also suggested that attackers may have simply used dictionary attacks to guess passwords on iCloud. The truth is probably a mix. But it means we all must start to care about cybersecurity. We all have something to hide: credit card numbers, trade secrets, job applications, nude selfies – the list goes on. We carry that information on an ever-increasing array of devices and Internet services. That means we have to invest some time and effort to do things like check privacy and security policies, figure out whether your smartphone encrypts its data, and use good passwords for things you care about. Cybersecurity: it’s not just for geeks anymore.

This isn’t the last we’ll hear of this topic, unfortunately. But perhaps the discourse is shifting in a useful direction…

 

On Accuracy in Cybersecurity

I have a new article on how to address questions of accuracy in cybersecurity up on SSRN. It’s titled Schrödinger’s Cybersecurity; here’s the abstract:

Both law and cybersecurity prize accuracy. Cyberattacks, such as Stuxnet, demonstrate the risks of inaccurate data. An attack can trick computer programs into making changes to information that are technically authorized but incorrect. While computer science treats accuracy as an inherent quality of data, law recognizes that accuracy is fundamentally a socially constructed attribute. This Article argues that law has much to teach cybersecurity about accuracy. In particular, law’s procedural mechanisms and contextual analysis can define concepts such as authorization and correctness that are exogenous to code. The Article assesses why accuracy matters, and explores methods law and cybersecurity deploy to attain it. It argues both law and cybersecurity have but two paths to determining accuracy: hierarchy, and consensus. Then, it defends the controversial proposition that accuracy is constructed through social processes, rather than emerging from information itself. Finally, it offers a proposal styled on the common law to evaluate when accuracy matters, and suggests that regulation should bolster technological mechanisms through a combination of mandates and funding. Like the cat of Schrödinger’s famous thought experiment, information is neither accurate nor inaccurate until observed in social context.

Cite: Derek E. Bambauer, Schrödinger’s Cybersecurity, 48 UC Davis Law Review (forthcoming 2014).

 

ACLU Challenges Arizona Revenge Porn Law

The ACLU, ably assisted by Dentons US LLP, has filed a challenge to Arizona’s revenge porn law in federal district court (complaint, ACLU blog, WIRED story). This is great news for Arizonans: the bill was terribly drafted and unconstitutional from the moment it was signed into law. Fighting revenge porn is important, but as Arizona is about to learn, you don’t get to trample the Constitution even in the service of a good cause. (Here’s my earlier post on the law.)

Icanhazjurisdiction?

Alan Trammell and I have a new article coming out on the problems of personal jurisdiction analysis when it involves Internet contacts. (The title is Personal Jurisdiction and “teh Interwebs”; I tried very hard to convince Alan to go with the title of this post, to no avail.) Abstract is below; we’d love your comments and thoughts.

For nearly twenty years, lower courts and scholars have struggled to figure out how personal jurisdiction doctrine should apply in the Internet age. When does virtual conduct make someone amenable to jurisdiction in any particular forum? The classic but largely discredited response by courts has been to give primary consideration to a commercial Web site’s interactivity. That approach distorts the current doctrine and is divorced from coherent jurisdictional principles. Moreover, scholars have not yielded satisfying answers. They typically have argued either that the Internet is thoroughly exceptional and requires its own rules, or that it is largely unexceptional and can be subject to current doctrinal tests. 

The difficult relationship between the Internet and modern personal jurisdiction doctrine is a symptom of a much larger problem. We argue that the Supreme Court’s current approach has bifurcated physical and intangible harm. Viewed through that lens, the overarching problem comes into focus because rules that sensibly govern the physical world apply awkwardly — sometimes incoherently — to intangible harm. Accordingly, we propose a return to personal jurisdiction’s first principles, particularly a concern for fairness and predictability. We argue that courts should dispense with the fiction that purely virtual conduct creates any meaningful contact with a particular forum. The narrow approach that we advocate likely will restrict the number of places where a plaintiff can sue for intangible harm, but through three test cases we demonstrate why such a rule will enhance fairness and predictability while also ensuring sufficient access to justice.

Cite: Alan M. Trammell & Derek E. Bambauer, Personal Jurisdiction and “teh Interwebs,” 100 Cornell Law Review (forthcoming 2015).

Why Aren’t “Hacked” Celebrities Filing Takedown Notices?

Writing today in Slate, Emily Bazelon complains that the law does not do enough to protect the privacy rights of celebrities whose accounts were illicitly “hacked” last weekend, resulting in the release of unauthorized nude photos the celebrities apparently took of themselves. Bazelon contrasts what she characterizes as the celebrities’ inability to remove their objectionable content from third-party Web sites with the much easier time that big movie studios have getting their works removed from YouTube. She writes:

Every day, movie and TV producers succeed in getting videos that have been posted without their consent taken down from major websites. Sure, you can still find pirated stuff if you look hard enough. But the big sites take down content once they know it’s been posted in violation of copyright. Because if they don’t, they’ll be sued—and no one will care if they defend the publication of stolen materials, in the name of free speech or otherwise.

Yet in the days since Jennifer Lawrence and other celebrities discovered that their nude images were stolen, and then posted without their consent on sites like Reddit and 4Chan, the stars can’t get the images taken down.

But that’s just not so. The law already provides precisely the same safeguards for the celebrities that it does for the movie and TV producers: as the creators (and copyright holders) of works posted online without their permission, they are statutorily entitled under 17 U.S.C. § 512(c) to insist that the hosting web sites remove, or disable access to, that content. Further legislation is unnecessary; all that is necessary for the injured parties to disable access to all the “hacked” photos is to follow the notice-and-takedown procedure specified in Section 512.

The problem is not, as Bazelon argues, that Section 230 of the Communications Decency Act (“CDA”) immunizes the web sites’ unauthorized display of the “hacked” photos. (To the contrary, those sites have apparently already removed some of the leaked content whose distribution violates federal law.) By its express terms [in paragraph (e)(2)], Section 230 provides absolutely no immunity to service providers accused of violating copyright law. Thus, the CDA interposes no bar to the use of Section 512′s notice-and-takedown regime under the present circumstances.

There are real issues raised by the “hacking” scandal, but the big ones are social/cultural, not legal. Posting content created by other people is already punishable both civilly and criminally, and the means to disable online access to such content are already in place. Whether it is fair to require individuals whose privacy has been invaded to avail themselves of their Section 512 rights in order to prevent further invasions is a separate question, but the problem is not, as Bazelon portrays it, the lack of appropriate legislation.

(Of course, Derek has already treated this issue, and responds presciently to the Section 230 objection, elsewhere. Happily for his analysis, the thornier IP problems involved in the repugnant “revenge porn” scenario, where the injured party and the copyright holder may not be the same person, are not present in the context of the hacked celebrity “selfies.”)

Mod a Game Console, Go to Jail

I’ve been puzzling over the 6th Circuit’s new opinion in United States v. Reichert (No. 13-3479, Mar. 28, 2014), in which a divided panel affirmed a defendant’s criminal conviction for violating the Digital Millennium Copyright Act’s anti-trafficking rule (17 U.S.C. § 1201(a)(2)) based on the defendant’s sale of a “modded” video game console to an undercover federal agent.

It’s a confusing opinion. Part of the confusion may have to do with my relative unfamiliarity with criminal law; most of the majority’s opinion is devoted to explaining why the defendant’s violation met the “willfulness” mens rea standard of 17 U.S.C. § 1204(a) despite the defendant’s apparent ignorance of the DMCA. I personally find troubling the court’s characterization of “willfulness” as permitting conviction based on proof that the defendant “deliberately ignored a high probability that he was trafficking in technology” that the DMCA in fact forbids (irrespective of whether the defendant knew that the DMCA forbid such trafficking), which seems to me inconsistent with United States v. Liu, 731 F.3d 982 (9th Cir. 2013), a case that engaged in a much more careful analysis of copyright’s criminal mens rea requirements than does the Reichert panel. But perhaps I’m misreading the court’s opinion on this point; criminal law isn’t my specialty.

My more basic problem is that, quite apart from the mens rea issue, I am having a hard time understanding the underlying DMCA claim. Read more…

Cybercrime’s International Challenges

Jane and I are in Cluj-Napoca, Romania, for a conference titled “Crimes, Criminals, and the New Criminal Codes: Assessing the Effectiveness of the Legal Response” at Babes-Bolyai University. Jane is speaking on “Surveillance in a Technological Age: The Case of the NSA,” and I’m giving a talk based on my forthcoming article Ghost in the Network. I’ll post updates from time to time – one thing I’ve just learned is that Ramniciu Valcea, Romania, is known as “Hackerville” because it has become what Francesca Bosco of UNICRI calls the “Silicon Valley of organized crime.”

Updates

  • Straight out of “The Wire“: organized crime hacked systems at the Port of Antwerp to smuggle drugs into the country in shipping containers without detection.
  • Reminder from Jane: FISA doesn’t protect non-U.S. persons who are abroad, and never has.
  • Jane: there is exactly one criminal case where a defendant has received notice that information developed under a FISA order is being used against him/her. (Of course, that’s because the government routinely lies about this.)
  • Giovanni Ziccardi on hate speech: pure cybercrimes are unusual – the real action is in the linkage between “old” crimes and use of computers. In 20 years (1993 – 2013), Italy had 72 unauthorized access cases, 7 virus cases, and 17 about attacks on critical systems (at the country’s 1st and 2nd level courts).
  • Ziccardi: Italy’s draft law 2195 bans Internet anonymity. Appears to have been drafted by squirrels and starlets [my summary].
  • John Vervaele: The EU has only one mechanism for forcing member states to comply with basic standards for human rights – suspending that state’s membership rights. It’s too strong a remedy to be effective in ensuring the rule of law, since the EU is reluctant to deploy it.

Formalism and Slow Victories in “Saving the Neighborhood”

We’re fewer than 24 hours away from seeing Carol Rose and Richard Brooks at a conference at the University of Arizona James E. Rogers College of Law, titled “Saving the Neighborhood,” after their new book. (Spaces still available! Register here.) I posted about the information law aspects of racial covenants here (cross-posted by Jane at Balkinization). Today I want to discuss briefly two additional aspects of the book that I found thought-provoking and counterintuitive: formalism, and slow victories.

On formalism: Rose and Brooks argue that relying on real property law as a mechanism for enforcing racial segregation in housing was risky. It was a gamble because even Southern courts – no friends of integration, as they would show in the full-bore resistance to ending school segregation and to prohibiting Jim Crow laws – were skeptical of the devices. Particularly in the pre-Lochner era, the courts evinced a formalistic understanding of property, and of the need (perhaps even of a constitutional dimension) to prevent governmental interference with property rights. The whole point of racial covenants was to operate as a restraint upon alienation – a restraint that might take considerable effort to evade or remove. The ability to dispose of one’s property as one sees fit is at the heart of classical property theory, checked by policing against externalities (such as pollution) by courts. Courts turned down efforts to limit integration through nuisance lawsuits (via formal conceptions of “use,” which did not include mere status of the purchaser) and through zoning. When homeowners turned next to covenants, they did not have certainty that those deed restrictions would be enforced if challenged.

I find fascinating the clash of goals that was taking place in front of the courts adjudicating nuisance, zoning, and covenant suits. The homeowners or municipalities wanted to enforce segregation against opportunists and defectors (not to mention minority buyers). Doubtless the judges hearing the cases were sympathetic. But they had a different normative ordering: segregation, while certainly appealing, had to be weighed against jurists’ commitment to particular views of property and of constitutional rights. And at least in the case of zoning and nuisance, segregation yielded: protecting a particular, formal conception of property loomed as the more important consideration. For me, this usefully complicated my perception of the court system during this period. My mental model was of the Alabama Supreme Court during the civil rights era – say, during the back-and-forth with the U.S. Supreme Court in NAACP v. Alabama. Judges’ motives and goals encompassed far more than simply defending segregation against all comers, and there were times when countervailing values – such as restraint upon governmental intrusion, or a particular model of real property – prevailed over race-based goals. That I found surprising.

On slow victories: the NAACP, despite a string of defeats, continued to attack racial covenants on the theory that their enforcement constituted state action. This strategy flew in the teeth of the prevailing legal wisdom, which was that these arrangements constituted classic private law, carrying no constitutional implications. In Shelley v. Kraemer, the NAACP’s theory was vindicated – a triumph for equal protection, for integration, and for legal realism, all at once. But it struck me how counterintuitive and edgy this strategy was. The NAACP risked accumulating a string of unfavorable precedents, perhaps even capped by a Supreme Court decision that was, along the lines of Plessy v. Ferguson or Bowers v. Hardwick, a seminal defeat. My own tendencies are far more conservative: you have to pick your spots, and once a theory seems like a consistent loser, you abandon it. The NAACP believed in their vision, as both a legal and moral imperative, and they were proved right. Sometimes you have to lose for a while to win. This seems to have modern resonance: the litigation strategy for marriage equality confronted a string of bad precedent and unfavorable politics, and I was deeply worried when the Supreme Court granted cert in both Windsor and Perry. There, too, the plaintiffs proved that the moral arc of the universe is sometimes shorter than we think – and still bends towards justice.

“Saving the Neighborhood” forces us to re-examine long-held assumptions about racial covenants, housing segregation, clashes of norms over race, and the risks of bold litigation strategies. For that, I’m indebted to Carol Rose and Richard Brooks.